Re: Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4)
- From: "J.H" <jpthsd@xxxxxxxxxxx>
- Date: Tue, 14 Nov 2006 15:42:57 -0800
Hi there,
Thanks for your reply.
1. Should I create Security Global group or Domainlocal Security?
2. I see that I can create a domain user account, add this user account onto
the domain
group that I just created, and in restricted group, add the domain group
onto the restricted
group of GPO, then member = BUILTIN\Administrator
Is that it?
Thanks,
JPTH
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:ObwMAQ$BHHA.204@xxxxxxxxxxxxxxxxxxxxxxx
Just use a standard domain user and create a new domain group that isplaced
into the local administrators group on the workstation. If you useinto
restricted groups you can then modify the group membership to get users
and out of the local admin groups with minimal effort.http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx
The gpo settings are at:
computer configuration \ windows settings \ restricted groups
group = your group to be made local admins
member of = BUILTIN\Administrators
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx
groups,
There is absolutely nothing that has to be done on the client side.
Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted
right click on restricted groups and select new group (For the localgroup
computers, this group name should be - administrators) and key in the
you want auto populated. Select add on the Members of this group and thenhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ctrlwiz.mspx
add the members you want populated.
To provide users the ability to add workstations Delegate the right to a
group (The same group as in the restricted group used above?).
Create a new security group and provide it the ability to only join
computers to the domain via the "Delegation of Control" wizard. Then join
the user account to this new group.
rights.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
the
"J.H" <jpthsd@xxxxxxxxxxx> wrote in message
news:OWtAcS1BHHA.4740@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Previously, we removed the right to add workstation to Windows 2000
domain.
However, now we are trying to expand our IT dept, so hiring more IT Help
Desk Support,
We'd like to allow IT Help Desk Support technician to: (without giving
logon)account
domain_admin right)
a. login onto the workstation with administrator privilege (domain
helpb. having ability to add any workstation onto the Windows 2000 domain
Any one can suggest the hint, please let us know, we appreciate your
Regards,
JPTH
.
- Follow-Ups:
- References:
- Prev by Date: Re: newbie questions
- Next by Date: Re: Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4)
- Previous by thread: Re: Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4)
- Next by thread: Re: Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4)
- Index(es):
Relevant Pages
|
